Skip to content

bug: SARIF URI scheme "git" did not match the checkout URI scheme "file" #5003

Closed
#6405
#5244
Closed
bug: SARIF URI scheme "git" did not match the checkout URI scheme "file"#5003
#6405
#5244
Assignees
nikpivkin
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning
Milestone
v0.46.0
@nikpivkin

Description

@nikpivkin
nikpivkin
opened on Aug 17, 2023

source: https://github.com/aquasecurity/tfsec/issues/1955

Config example:

module "kubernetes-engine_workload-identity" {
  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version             = "27.0.0"
  name                = "my-application-name"
  namespace           = "default"
  project_id          = "my-gcp-project-name"
  use_existing_k8s_sa = true
  annotate_k8s_sa     = false
  k8s_sa_name         = "dagster"
  roles               = ["roles/storage.admin"]
}

Output:

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {
              "id": "AVD-GCP-0007",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "Service accounts should not have roles assigned with excessive privileges"
              },
              "fullDescription": {
                "text": "Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-gcp-0007",
              "help": {
                "text": "Misconfiguration AVD-GCP-0007\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Service accounts should not have roles assigned with excessive privileges\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.",
                "markdown": "**Misconfiguration AVD-GCP-0007**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Service accounts should not have roles assigned with excessive privileges|Service account is granted a privileged role.|[AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)|\n\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "HIGH"
                ]
              }
            }
          ],
          "version": "0.44.1"
        }
      },
      "results": [
        {
          "ruleId": "AVD-GCP-0007",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Artifact: git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf\nType: terraform\nVulnerability AVD-GCP-0007\nSeverity: HIGH\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 91,
                  "startColumn": 1,
                  "endLine": 91,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf"
              }
            }
          ]
        }
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      }
    }
  ]
}

I used this service for SARIF validation: https://sarifweb.azurewebsites.net/Validation
Validation result:

[GH1005](http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html): runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.

Description of the uri property in the SARIF specification.

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning

Type

No type

Projects

Trivy Roadmap

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions